net — Tool for administration of Samba and remote CIFS servers.
net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] [-w|--target-workgroup workgroup] [-I|--ipaddress ip-address] [-p|--port port] [--myname] [-S|--server server] [--long] [-v|--verbose] [-f|--force] [--request-timeout seconds] [-t|--timeout seconds] [-i|--stdin]
This tool is part of the samba(7) suite.
The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols.
Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server.
IP address of target server to use. You have to specify either this option or a target workgroup or a target server.
Port on the target server to connect to (usually 139 or 445). Defaults to trying 445 first, then 139.
Name of target server. You should specify either this option or a target workgroup or a target IP address.
When listing data, give more information on each item.
When listing data, give more verbose information on each item.
Enforcing a net command.
Let client requests timeout after 30 seconds the default is 10 seconds.
Set timeout for client operations to 30 seconds.
Take input for net commands from standard input.
Only test command sequence, dry-run.
Pass down integer flags to a net subcommand.
Pass down a comment string to a net subcommand.
Use MYNAME as a requester name for a net subcommand.
Use a specific AD container for net ads operations.
Fill in the maxusers field in net rpc share operations.
Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations).
When calling "net rpc vampire keytab" this option enforces a full re-creation of the generated keytab file.
When calling "net rpc vampire keytab" this option allows one to replicate just a single object to the generated keytab file.
When calling "net rpc vampire keytab" this option allows one to cleanup old entries from the generated keytab file.
Define dbfile for "net idmap" commands.
Activates locking of the dbfile for "net idmap check" command.
Activates noninteractive mode in "net idmap check".
Activates repair mode in "net idmap check".
Includes ACLs to be copied in "net rpc share migrate".
Includes file attributes to be copied in "net rpc share migrate".
Includes timestamps to be copied in "net rpc share migrate".
Allows one to exclude directories when copying with "net rpc share migrate".
Defines the target servername of migration process (defaults to localhost).
Sets the type of group mapping to local (used in "net groupmap set").
Sets the type of group mapping to domain (used in "net groupmap set").
Sets the ntname of a group mapping (used in "net groupmap set").
Sets the rid of a group mapping (used in "net groupmap set").
Assume database version {n|1,2,3} (used in "net registry check").
Output database file (used in "net registry check").
Create a new database from scratch (used in "net registry check").
Defines filename for database prechecking (used in "net registry import").
Do not perform DNS updates as part of "net ads join".
Prevent the machine account removal as part of "net ads leave".
Report results in JSON format for "net ads info" and "net ads lookup".
Traverse a directory hierarchy.
Continue traversing a directory hierarchy in case conversion of one file fails.
Follow symlinks encountered while traversing a directory.
level is an integer from 0
to 10. The default value if this parameter is not
specified is 1 for client applications.
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override
the log level parameter in the
${prefix}/etc/smb.conf file.
This will redirect debug output to STDOUT. By default all clients are logging to STDERR.
The file specified contains the configuration details
required by the client. The information in this file
can be general for client and server or only provide
client specific like options such as
client smb encrypt. See
${prefix}/etc/smb.conf for more information. The default
configuration file name is determined at compile time.
Set the smb.conf(5) option "<name>" to value "<value>" from the command line. This overrides compiled-in defaults and options read from the configuration file. If a name or a value includes a space, wrap whole --option=name=value into quotes.
Base directory name for log/debug files. The extension
".progname" will be appended (e.g.
log.smbclient, log.smbd, etc...). The log file is never
removed by the client.
Enable talloc leak reporting on exit.
Enable full talloc leak reporting on exit.
Prints the program version number.
This option is used to determine what naming services and in what order to resolve host names to IP addresses. The option takes a space-separated string of different name resolution options. The best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into quotes.
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
lmhosts: Lookup an
IP address in the Samba lmhosts file.
If the line in lmhosts has no name type
attached to the NetBIOS name (see the
lmhosts(5)
for details) then any name type matches
for lookup.
host: Do a
standard host name to IP address
resolution, using the system
/etc/hosts, NIS,
or DNS lookups. This method of name
resolution is operating system
dependent, for instance on IRIX or
Solaris this may be controlled by the
/etc/nsswitch.conf
file). Note that this
method is only used if the NetBIOS name
type being queried is the 0x20 (server)
name type, otherwise it is ignored.
wins: Query a name
with the IP address listed in the
wins server
parameter. If no WINS server has been
specified this method will be ignored.
bcast: Do a
broadcast on each of the known local
interfaces listed in the
interfaces
parameter. This is the least reliable
of the name resolution methods as it
depends on the target host being on a
locally connected subnet.
If this parameter is not set then the name resolve
order defined in the ${prefix}/etc/smb.conf file parameter
(name resolve order) will be
used.
The default order is lmhosts, host, wins, bcast.
Without this parameter or any entry in the
name resolve order parameter
of the ${prefix}/etc/smb.conf file, the name resolution methods
will be attempted in this order.
TCP socket options to set on the client socket. See the
socket options parameter in the ${prefix}/etc/smb.conf manual page
for the list of valid options.
The value of the parameter (a string) is the highest protocol level that will be supported by the client.
Note that specifying this parameter here will override
the client max protocol
parameter in the ${prefix}/etc/smb.conf file.
This option allows you to override the NetBIOS name
that Samba uses for itself. This is identical to
setting the netbios name
parameter in the ${prefix}/etc/smb.conf file. However, a command
line setting will take precedence over settings in
${prefix}/etc/smb.conf.
This specifies a NetBIOS scope that
nmblookup will use to communicate
with when generating NetBIOS names. For details on the
use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt.
NetBIOS scopes are very rarely
used, only set this parameter if you are the system
administrator in charge of all the NetBIOS systems you
communicate with.
Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).
Note that specifying this parameter here will override
the workgroup parameter in the
${prefix}/etc/smb.conf file.
Set the realm for the domain.
Note that specifying this parameter here will override
the realm parameter in the
${prefix}/etc/smb.conf file.
Sets the SMB username or username and password.
If %PASSWORD is not specified, the user will be
prompted. The client will first check the
USER environment variable
(which is also permitted to also contain the
password separated by a %), then the
LOGNAME variable (which is not
permitted to contain a password) and if either exists,
the value is used. If these environmental
variables are not found, the username
found in a Kerberos Credentials cache may be used.
A third option is to use a credentials file which
contains the plaintext of the username and password.
This option is mainly provided for scripts where the
admin does not wish to pass the credentials on the
command line or via environment variables. If this
method is used, make certain that the permissions on
the file restrict access from unwanted users. See the
-A for more details.
Be cautious about including passwords in scripts
or passing user-supplied values onto the command line. For
security it is better to let the Samba client tool ask for the
password if needed, or obtain the password once with kinit.
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password.
Unless a password is specified on the command line or this parameter is specified, the client will request a password.
If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used.
Specify the password on the commandline.
Be cautious about including passwords in
scripts or passing user-supplied values onto
the command line. For security it is better to
let the Samba client tool ask for the password
if needed, or obtain the password once with
kinit.
If --password is not specified,
the tool will check the PASSWD
environment variable, followed by PASSWD_FD
which is expected to contain an open
file descriptor (FD) number.
Finally it will check PASSWD_FILE (containing
a file path to be opened). The file should only
contain the password. Make certain that the
permissions on the file restrict
access from unwanted users!
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
The supplied password is the NT hash.
This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is:
username = <value> password = <value> domain = <value>
Make certain that the permissions on the file restrict access from unwanted users!
Use stored machine account password.
DN to use for a simple bind.
This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connecting to a service.
Note that specifying this parameter here will override
the client use kerberos
parameter in the ${prefix}/etc/smb.conf file.
Specifies the credential cache location for Kerberos authentication.
This will set --use-kerberos=required too.
Try to use the credential cache by winbind.
Sets the connection protection the client tool should use.
Note that specifying this parameter here will override
the client protection
parameter in the ${prefix}/etc/smb.conf file.
In case you need more fine grained control you can use:
--option=clientsmbencrypt=OPTION,
--option=clientipcsigning=OPTION,
--option=clientsigning=OPTION.
This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory. DO NOT USE this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) be used also. There will be NO command prompt. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning. YOU HAVE BEEN WARNED.
The NET TIME command allows you to view the time on a remote server
or synchronise the time on the local server with the time on the remote server.
Without any options, the NET TIME command
displays the time on the remote server. The remote server must be
specified with the -S option.
Displays the time on the remote server in a format ready for /bin/date.
The remote server must be specified with the -S option.
Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created.
[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain.
[FQDN] (ADS only) set the dnsHostName attribute during the join. The default format is netbiosname.dnsdomain.
[UPN] (ADS only) set the principalname attribute during the join. The default format is host/netbiosname@REALM.
[OU] (ADS only) Precreate the computer account in a specific OU. The OU string reads from top to bottom without RDNs, and is delimited by a '/'. Please note that '\' is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter.
[PASS] (ADS only) Set a specific password on the computer account being created by the join.
[osName=string osVer=String] (ADS only) Set the operatingSystem and operatingSystemVersion attribute during the join. Both parameters must be specified for either to take effect.
Join a domain. Use the OLDJOIN option to join the domain using the old style of domain joining - you need to create a trust account in server manager first.
Enumerates all exported resources (network shares) on target server.
user [password]Validate whether the specified user can log in to the remote server. If the password is not specified on the commandline, it will be prompted.
Currently NOT implemented.
commandExecute the specified command on
the remote server. Only works with OS/2 servers.
Currently NOT implemented.
HOSTNAME [TYPE]Lookup the IP address of the given host with the specified type (netbios suffix). The type defaults to 0x20 (workstation).
Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'.
All the timeout parameters support the suffixes:
| s - Seconds |
| m - Minutes |
| h - Hours |
| d - Days |
| w - Weeks |
Prints the SID of the specified domain, or if the parameter is omitted, the SID of the local server.
Manage the mappings between Windows group SIDs and UNIX groups. Common options include:
unixgroup - Name of the UNIX group
ntgroup - Name of the Windows NT group (must be resolvable to a SID
rid - Unsigned 32-bit integer
sid - Full SID in the form of "S-1-..."
type - Type of the group; either 'domain', 'local', or 'builtin'
comment - Freeform text description of the group
Add a new group mapping entry:
net groupmap add {rid=int|sid=string} unixgroup=string \
[type={domain|local}] [ntgroup=string] [comment=string]
Delete a group mapping entry. If more than one group name matches, the first entry found is deleted.
net groupmap delete {ntgroup=string|sid=SID}
Prints out the highest RID currently in use on the local server (by the active 'passdb backend').
Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups.
DOMAINAdd a interdomain trust account for DOMAIN.
This is in fact a Samba account named DOMAIN$
with the account flag 'I' (interdomain trust account).
This is required for incoming trusts to work. It makes Samba be a
trusted domain of the foreign (trusting) domain.
Users of the Samba domain will be made available in the foreign domain.
If the command is used against localhost it has the same effect as
smbpasswd -a -i DOMAIN. Please note that both commands
expect a appropriate UNIX account.
DOMAINRemove interdomain trust account for
DOMAIN. If it is used against localhost
it has the same effect as smbpasswd -x DOMAIN$.
DOMAINEstablish a trust relationship to a trusted domain. Interdomain account must already be created on the remote PDC. This is required for outgoing trusts to work. It makes Samba be a trusting domain of a foreign (trusted) domain. Users of the foreign domain will be made available in our domain. You'll need winbind and a working idmap config to make them appear in your system.
Create a trust object by calling lsaCreateTrustedDomainEx2. The can be done on a single server or on two servers at once with the possibility to use a random trust password.
Options:
Domain controller of the second domain
Admin user in the second domain
SID of the second domain
NetBIOS (short) name of the second domain
DNS (full) name of the second domain
Trust password
Examples:
net rpc trust create \
otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
other_netbios_domain=dom2 \
otherdomain=dom2.dom \
trustpw=12345678 \
-S srv1.dom1.dom
net rpc trust create \
otherserver=srv2.dom2.test \
otheruser=dom2adm \
-S srv1.dom1.dom
Delete a trust object by calling lsaDeleteTrustedDomain. The can be done on a single server or on two servers at once.
Options:
Domain controller of the second domain
Admin user in the second domain
SID of the second domain
Examples:
net rpc trust delete \
otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
-S srv1.dom1.dom
net rpc trust delete \
otherserver=srv2.dom2.test \
otheruser=dom2adm \
-S srv1.dom1.dom
Shut down the remote server.
Reboot after shutdown.
Force shutting down all applications.
Timeout before system will be shut down. An interactive user of the system can use this time to cancel the shutdown.
Display the specified message on the screen to announce the shutdown.
Print out sam database of remote server. You need to run this against the PDC, from a Samba machine joined as a BDC.
Export users, aliases and groups from remote server to local server. You need to run this against the PDC, from a Samba machine joined as a BDC. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller.
Apply GPOs for a username or machine name. Either username or machine name should be provided to the command, not both.
LINKDN] [GPODN]Link a container to a GPO. LINKDN Container to link to a GPO. GPODN GPO to link container to. DNs must be provided properly escaped. See RFC 4514 for details.
Print out status of machine account of the local machine in ADS.
Prints out quite some debug info. Aimed at developers, regular
users should use NET ADS TESTJOIN.
EXPRESSION ATTRIBUTES...Perform a raw LDAP search on a ADS server and dump the results. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results.
Example: net ads search '(objectCategory=group)' sAMAccountName
DN (attributes)Perform a raw LDAP search on a ADS server and dump the results. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result.
Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName
CREATECreates a new keytab file if one doesn't exist with default entries. Default entries are kerberos principals created from the machinename of the client, the UPN (if it exists) and any Windows SPN(s) associated with the computer AD account for the client. If a keytab file already exists then only missing kerberos principals from the default entries are added. No changes are made to the computer AD account.
ADD (principal | machine | serviceclass | windows SPNAdds a new keytab entry, the entry can be either;
A kerberos principal (identified by the presence of '@') is just added to the keytab file.
A machinename (identified by the trailing '$') is used to create a a kerberos principal 'machinename@realm' which is added to the keytab file.
A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & 'serviceclass/netbios_name@realm' which are added to the keytab file.
A Windows SPN is of the format 'serviceclass/host:port', it is used to create a kerberos principal 'serviceclass/host@realm' which will be written to the keytab file.
Unlike old versions no computer AD objects are modified by this command. To preserve the bevhaviour of older clients 'net ads keytab ad_update_ads' is available.
ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPNAdds a new keytab entry (see section for net ads keytab add). In addition to adding entries to the keytab file corrosponding Windows SPNs are created from the entry passed to this command. These SPN(s) added to the AD computer account object associated with the client machine running this command for the following entry types;
A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair of Windows SPN(s) 'param/full_qualified_dns' & 'param/netbios_name' which are added to the AD computer account object for this client.
A Windows SPN is of the format 'serviceclass/host:port', it is added as passed to the AD computer account object for this client.
SETSPN LIST [machine]Lists the Windows SPNs stored in the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
SETSPN ADD SPN [machine]Adds the specified Windows SPN to the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
SETSPN DELETE SPN [machine]DELETE the specified Window SPN from the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
0x00000001 DES-CBC-CRC
0x00000002 DES-CBC-MD5
0x00000004 RC4-HMAC
0x00000008 AES128-CTS-HMAC-SHA1-96
0x00000010 AES256-CTS-HMAC-SHA1-96
<ACCOUNTNAME>List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
Example: net ads enctypes list Computername
<ACCOUNTNAME> [enctypes]Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types.
Example: net ads enctypes set Computername 24
<ACCOUNTNAME>Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
Example: net ads enctypes set Computername 24
(Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can be created with this command. This is the list of currently recognized group names: Administrators, Users, Guests, Power Users, Account Operators, Server Operators, Print Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range.
Create a LOCAL group (also known as Alias). This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range.
Map an existing Unix group and make it a Domain Group, the domain group will have the same name.
Add a member to a Local group. The group can be specified only by name, the member can be specified by name or SID.
Remove a member from a Local group. The group and the member must be specified by name.
List the specified set of accounts by name. If verbose is specified, the rid and description is also provided for each account.
Set the workstations a user account is allowed to log in from.
Set or unset the "password must change" flag for a user account.
Set a value for the account policy. Valid values can be: "forever", "never", "off", or a number.
Only available if ldapsam:editposix is set and winbindd is running. Properly populates the ldap tree with the basic accounts (Administrator) and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree.
Dumps the mappings contained in the local tdb file specified. This command is useful to dump only the mappings produced by the idmap_tdb backend.
Store a secret for the specified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server.
Store a domain-range mapping for a given domain (and index) in autorid database.
Get the range for a given domain and index from autorid database.
Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database. The mapping is given by <ID> which may either be a sid: S-x-..., a gid: "GID number" or a uid: "UID number". Use -f to delete an invalid partial mapping <ID> -> xx
Use "smbcontrol all idmap ..." to notify running smbd instances. See the smbcontrol(1) manpage for details.
Delete a domain range mapping identified by 'RANGE' or "domain SID and INDEX" from autorid database. Use -f to delete invalid mappings.
Delete all domain range mappings for a domain identified by SID. Use -f to delete invalid mappings.
Check and repair the IDMAP database. If no option is given a read only check of the database is done. Among others an interactive or automatic repair mode may be chosen with one of the following options:
Interactive repair mode, ask a lot of questions.
Noninteractive repair mode, use default answers.
Produce more output.
Try to apply changes, even if they do not apply cleanly.
Dry run, show what changes would be made but don't touch anything.
Lock the database while doing the check.
Check the specified database.
It reports about the finding of the following errors:
A record with mapping A->B where there is no B->A. Default action in repair mode is to "fix" this by adding the reverse mapping.
A record with mapping A->B where B->C. Default action is to "delete" this record.
A high water mark is not at least equal to the largest ID in the database. Default action is to "fix" this by setting it to the largest ID found +1.
Something we failed to parse. Default action is to "edit" it in interactive and "delete" it in automatic mode.
Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user defined shares to be exported using the "net usershare" commands.
To set this up, first set up your ${prefix}/etc/smb.conf by adding to the [global] section:
usershare path = /usr/local/samba/lib/usershares
Next create the directory /usr/local/samba/lib/usershares, change the owner to root and
set the group owner to the UNIX group who should have the ability to create usershares,
for example a group called "serverops".
Set the permissions on /usr/local/samba/lib/usershares to 01770.
(Owner and group all access, no access for others, plus the sticky bit,
which means that a file in that directory can be renamed or deleted only
by the owner of the file).
Finally, tell smbd how many usershares you will allow by adding to the [global]
section of ${prefix}/etc/smb.conf a line such as :
usershare max shares = 100.
To allow 100 usershare definitions. Now, members of the UNIX group "serverops"
can create user defined shares on demand using the commands below.
The usershare commands are:
| net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] - to add or change a user defined share. |
| net usershare delete sharename - to delete a user defined share. |
| net usershare info [--long] [wildcard sharename] - to print info about a user defined share. |
| net usershare list [--long] [wildcard sharename] - to list user defined shares. |
sharename path [comment] [acl] [guest_ok=[y|n]]Add or replace a new user defined share, with name "sharename".
"path" specifies the absolute pathname on the system to be exported.
Restrictions may be put on this, see the global ${prefix}/etc/smb.conf parameters:
"usershare owner only", "usershare prefix allow list", and
"usershare prefix deny list".
The optional "comment" parameter is the comment that will appear on the share when browsed to by a client.
The optional "acl" field
specifies which users have read and write access to the entire share.
Note that guest connections are not allowed unless the ${prefix}/etc/smb.conf parameter
"usershare allow guests" has been set. The definition of a user
defined share acl is: "user:permission", where user is a valid
username on the system and permission can be "F", "R", or "D".
"F" stands for "full permissions", ie. read and write permissions.
"D" stands for "deny" for a user, ie. prevent this user from accessing
this share.
"R" stands for "read only", ie. only allow read access to this
share (no creation of new files or directories or writing to files).
The default if no "acl" is given is "Everyone:R", which means any authenticated user has read-only access.
The optional "guest_ok" has the same effect as the parameter of the
same name in ${prefix}/etc/smb.conf, in that it allows guest access to this user
defined share. This parameter is only allowed if the global parameter
"usershare allow guests" has been set to true in the ${prefix}/etc/smb.conf.
sharenameDeletes the user defined share by name. The Samba smbd daemon immediately notices this change, although it will not disconnect any users currently connected to the deleted share.
[--long] [wildcard sharename]Get info on user defined shares owned by the current user matching the given pattern, or all users.
net usershare info on its own dumps out info on the user defined shares that were created by the current user, or restricts them to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character). If the '--long' option is also given, it prints out info on user defined shares created by other users.
The information given about a share looks like: [foobar] path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n And is a list of the current settings of the user defined share that can be modified by the "net usershare add" command.
[--long] wildcard sharenameList all the user defined shares owned by the current user matching the given pattern, or all users.
net usershare list on its own list out the names of the user defined shares that were created by the current user, or restricts the list to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character). If the '--long' option is also given, it includes the names of user defined shares created by other users.
Starting with version 3.2.0, a Samba server can be configured by data stored in registry. This configuration data can be edited with the new "net conf" commands. There is also the possibility to configure a remote Samba server by enabling the RPC conf mode and specifying the address of the remote server.
The deployment of this configuration data can be activated in two levels from the
${prefix}/etc/smb.conf file: Share definitions from registry are
activated by setting registry shares to
“yes” in the [global] section and global configuration options are
activated by setting include = registry in
the [global] section for a mixed configuration or by setting
config backend = registry in the [global]
section for a registry-only configuration.
See the smb.conf(5) manpage for details.
The conf commands are:
| net [rpc] conf list - Dump the complete configuration in smb.conf like format. |
| net [rpc] conf import - Import configuration from file in smb.conf format. |
| net [rpc] conf listshares - List the registry shares. |
| net [rpc] conf drop - Delete the complete configuration from registry. |
| net [rpc] conf showshare - Show the definition of a registry share. |
| net [rpc] conf addshare - Create a new registry share. |
| net [rpc] conf delshare - Delete a registry share. |
| net [rpc] conf setparm - Store a parameter. |
| net [rpc] conf getparm - Retrieve the value of a parameter. |
| net [rpc] conf delparm - Delete a parameter. |
| net [rpc] conf getincludes - Show the includes of a share definition. |
| net [rpc] conf setincludes - Set includes for a share. |
| net [rpc] conf delincludes - Delete includes from a share definition. |
Print the configuration data stored in the registry in a smb.conf-like format to standard output.
[--test|-T] filename [section]This command imports configuration from a file in smb.conf format. If a section encountered in the input file is present in registry, its contents is replaced. Sections of registry configuration that have no counterpart in the input file are not affected. If you want to delete these, you will have to use the "net conf drop" or "net conf delshare" commands. Optionally, a section may be specified to restrict the effect of the import command to that specific section. A test mode is enabled by specifying the parameter "-T" on the commandline. In test mode, no changes are made to the registry, and the resulting configuration is printed to standard output instead.
sharenameShow the definition of the share or section specified. It is valid to specify "global" as sharename to retrieve the global configuration options from registry.
sharename path [writeable={y|N} [guest_ok={y|N} [comment]]] Create a new share definition in registry. The sharename and path have to be given. The share name may not be "global". Optionally, values for the very common options "writeable", "guest ok" and a "comment" may be specified. The same result may be obtained by a sequence of "net conf setparm" commands.
section parameter valueStore a parameter in registry. The section may be global or a sharename. The section is created if it does not exist yet.
sectionGet the list of includes for the provided section (global or share).
Note that due to the nature of the registry database and the nature of include directives, the includes need special treatment: Parameters are stored in registry by the parameter name as valuename, so there is only ever one instance of a parameter per share. Also, a specific order like in a text file is not guaranteed. For all real parameters, this is perfectly ok, but the include directive is rather a meta parameter, for which, in the smb.conf text file, the place where it is specified between the other parameters is very important. This can not be achieved by the simple registry smbconf data model, so there is one ordered list of includes per share, and this list is evaluated after all the parameters of the share.
Further note that currently, only files can be included from registry configuration. In the future, there will be the ability to include configuration data from other registry keys.
Manipulate Samba's registry.
The registry commands are:
| net registry enumerate - Enumerate registry keys and values. |
| net registry enumerate_recursive - Enumerate registry key and its subkeys. |
| net registry createkey - Create a new registry key. |
| net registry deletekey - Delete a registry key. |
| net registry deletekey_recursive - Delete a registry key with subkeys. |
| net registry getvalue - Print a registry value. |
| net registry getvalueraw - Print a registry value (raw format). |
| net registry setvalue - Set a new registry value. |
| net registry increment - Increment a DWORD registry value under a lock. |
| net registry deletevalue - Delete a registry value. |
| net registry getsd - Get security descriptor. |
| net registry getsd_sdd1 - Get security descriptor in sddl format. |
| net registry setsd_sdd1 - Set security descriptor from sddl format string. |
| net registry import - Import a registration entries (.reg) file. |
| net registry export - Export a registration entries (.reg) file. |
| net registry convert - Convert a registration entries (.reg) file. |
| net registry check - Check and repair a registry database. |
key Delete the given key and all of its subkeys and values from the registry.
key name type value ...Set the value name
of an existing key.
type may be one of
sz, multi_sz or
dword.
In case of multi_sz value may
be given multiple times.
key name [inc]Increment the DWORD value name
of key by inc
while holding a g_lock.
inc defaults to 1.
keyGet the security descriptor of the given key as a Security Descriptor Definition Language (SDDL) string.
keysdSet the security descriptor of the given key from a Security Descriptor Definition Language (SDDL) string sd.
file [--precheck <check-file>] [opt]Import a registration entries (.reg) file.
The following options are available:
check-fileThis is a mechanism to check the existence or non-existence of certain keys or values specified in a precheck file before applying the import file. The import file will only be applied if the precheck succeeds.
The check-file follows the normal registry file syntax with the following semantics:
<value name>=<value> checks whether the value exists and has the given value.
<value name>=- checks whether the value does not exist.
[key] checks whether the key exists.
[-key] checks whether the key does not exist.
Check and repair the registry database. If no option is given a read only check of the database is done. Among others an interactive or automatic repair mode may be chosen with one of the following options
Interactive repair mode, ask a lot of questions.
Noninteractive repair mode, use default answers.
Produce more output.
Dry run, show what changes would be made but don't touch anything.
Lock the database while doing the check.
Specify the format of the registry database. If not given it defaults to the value of the binary or, if an registry.tdb is explicitly stated at the commandline, to the value found in the INFO/version record.
Check the specified database.
Create a new registry database <ODB> instead of modifying the input. If <ODB> is already existing --wipe may be used to overwrite it.
Replace the registry database instead of modifying the input or overwrite an existing output database.
Starting with version 3.4.0 net can read, dump, import and export native win32 eventlog files (usually *.evt). evt files are used by the native Windows eventviewer tools.
The import and export of evt files can only succeed when eventlog list is used in
${prefix}/etc/smb.conf file.
See the smb.conf(5) manpage for details.
The eventlog commands are:
| net eventlog dump - Dump a eventlog *.evt file on the screen. |
| net eventlog import - Import a eventlog *.evt into the samba internal tdb based representation of eventlogs. |
| net eventlog export - Export the samba internal tdb based representation of eventlogs into an eventlog *.evt file. |
filename eventlog
Imports a eventlog *.evt file defined by filename into the
samba internal tdb representation of eventlog defined by eventlog.
eventlog needs to part of the eventlog list
defined in ${prefix}/etc/smb.conf.
See the smb.conf(5) manpage for details.
filename eventlog
Exports the samba internal tdb representation of eventlog defined by eventlog
to a eventlog *.evt file defined by filename.
eventlog needs to part of the eventlog list
defined in ${prefix}/etc/smb.conf.
See the smb.conf(5) manpage for details.
Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000.
In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege.
The client side support for remote join is implemented in the net dom commands which are:
| net dom join - Join a remote computer into a domain. |
| net dom unjoin - Unjoin a remote computer from a domain. |
| net dom renamecomputer - Renames a remote computer joined to a domain. |
domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD rebootJoins a computer into a domain. This command supports the following additional parameters:
DOMAIN can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. As in Windows, it is also possible to control which Domain Controller to use. This can be achieved by appending the DC name using the \ separator character. Example: MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
OU can be set to a RFC 1779 LDAP DN, like ou=mymachines,cn=Users,dc=example,dc=com in order to create the machine account in a non-default LDAP container. This optional parameter is only supported when joining Active Directory Domains.
ACCOUNT defines a domain account that will be used to join the machine to the domain. This domain account needs to have sufficient privileges to join machines.
PASSWORD defines the password for the domain account defined with ACCOUNT.
REBOOT is an optional parameter that can be set to reboot the remote machine after successful join to the domain.
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user.
Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot.
account=ACCOUNT password=PASSWORD rebootUnjoins a computer from a domain. This command supports the following additional parameters:
ACCOUNT defines a domain account that will be used to unjoin the machine from the domain. This domain account needs to have sufficient privileges to unjoin machines.
PASSWORD defines the password for the domain account defined with ACCOUNT.
REBOOT is an optional parameter that can be set to reboot the remote machine after successful unjoin from the domain.
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user.
Example: net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot.
newname=NEWNAME account=ACCOUNT password=PASSWORD rebootRenames a computer that is joined to a domain. This command supports the following additional parameters:
NEWNAME defines the new name of the machine in the domain.
ACCOUNT defines a domain account that will be used to rename the machine in the domain. This domain account needs to have sufficient privileges to rename machines.
PASSWORD defines the password for the domain account defined with ACCOUNT.
REBOOT is an optional parameter that can be set to reboot the remote machine after successful rename in the domain.
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to rename in the domain. These additional parameters include: -S computer and -U user.
Example: net dom renamecomputer -S xp -U XP\\administrator%secret newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and rename the joined computer to XPNEW using the MYDOM domain administrator account and password topsecret. After successful rename, the computer would reboot.
Manage global locks.
lockname timeout command
Execute a shell command under a global lock. This might be useful to define the
order in which several shell commands will be executed. The locking information
is stored in a file called g_lock.tdb. In setups with CTDB
running, the locking information will be available on all cluster nodes.
LOCKNAME defines the name of the global lock.
TIMEOUT defines the timeout.
COMMAND defines the shell command to execute.
Access shared filesystem through the VFS.
share pathConvert file streams to AppleDouble files.
share
A Samba share.
path A relative path of something in
the Samba share. "." can be used for the root directory of the
share.
Options:
Traverse a directory hierarchy.
Verbose output.
Continue traversing a directory hierarchy if a single conversion fails.
Follow symlinks encountered while traversing a directory.
Starting with version 4.15 Samba has support for offline join APIs. Windows supports offline join capabilities since Windows 7 and Windows 2008 R2.
The following offline commands are implemented:
| net offlinejoin provision - Provisions a machine account in AD. |
| net offlinejoin requestodj - Requests a domain offline join. |
domain=DOMAIN machine_name=MACHINE_NAME machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse savefile=FILENAME printblobProvisions a machine account in AD. This command needs network connectivity to the domain controller to succeed. This command supports the following additional parameters:
DOMAIN can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. The DOMAIN parameter cannot be NULL.
MACHINE_NAME defines the machine account name that will be provisioned in AD. The MACHINE_NAME parameter cannot be NULL.
MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like ou=mymachines,cn=Users,dc=example,dc=com in order to create the machine account in a non-default LDAP container. This optional parameter is only supported when joining Active Directory Domains.
DCNAME defines a specific domain controller for creating the machine account in AD.
DEFPWD is an optional parameter that can be set to enforce using the default machine account password. The use of this parameter is not recommended as the default machine account password can be easily guessed.
REUSE is an optional parameter that can be set to enforce reusing an existing machine account in AD.
SAVEFILE is an optional parameter to store the generated provisioning data on disk.
PRINTBLOB is an optional parameter to print the generated provisioning data on stdout.
Example: net offlinejoin provision -U administrator%secret domain=MYDOM machine_name=MYHOST savefile=provisioning.txt
loadfile=FILENAMERequests an offline domain join by providing file-based provisioning data. This command supports the following additional parameters:
LOADFILE is a required parameter to load the provisioning from a file.
Example: net offlinejoin requestodj -U administrator%secret loadfile=provisioning.txt